In brief
- North Korean hackers are targeting crypto professionals with fake job interviews to deploy new Python-based malware, PylangGhost.
- The malware steals credentials from 80+ browser extensions, including Metamask and 1Password, and enables persistent remote access.
- Attackers pose as recruiters from firms like Coinbase and Uniswap, tricking victims into running malicious commands disguised as video driver installs.
North Korean hackers are luring crypto professionals into elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices.
A new Python-based remote access trojan called "PylangGhost," links malware to a North Korean-affiliated hacking collective called "Famous Chollima," also known as "Wagemole,” threat intelligence research firm Cisco Talos reported on Wednesday.
"Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the firm wrote.
The campaign primarily targets crypto and blockchain professionals in India, using fraudulent job sites that impersonate legitimate companies, including Coinbase, Robinhood, and Uniswap.
The scheme begins with fake recruiters directing job seekers to skill-testing websites where victims enter personal details and answer technical questions.
There's More to North Korea's Hacking Ops Than Just Lazarus Group: Paradigm
In February, North Korean hackers broke headlines with what is now regarded as the largest single hack in crypto history. The Lazarus Group stole at least $1.4 billion from Bybit and later funneled those funds to crypto mixers. "Someone had pulled off the biggest hack in [crypto] history, and we had a front-row seat," Samczsun, Research Partner at Paradigm, recalled in a blog post. The researcher said they witnessed the theft in real-time and collaborated with Bybit to confirm the unauthorized a...
After completing the assessments, candidates are instructed to enable camera access for a video interview and then prompted to copy and execute malicious commands disguised as video driver installations.
Dileep Kumar H V, director at Digital South Trust, told Decrypt that to counter these scams, “India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.”
A vital need for awareness
“CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he said, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.”
The newly discovered PylangGhost malware can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom.
The Trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers.
This latest operation aligns with North Korea's broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry's largest heists.
Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within.
The group has been conducting hiring-based attacks since at least 2023 through campaigns like "Contagious Interview" and "DeceptiveDevelopment," which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList.
BitMEX Blocks Lazarus Phishing Attempt, Calls Tactics ‘Unsophisticated’
BitMEX said it has thwarted an attempted phishing attack by the Lazarus Group, describing the attempt as using "unsophisticated" phishing methods by the notorious North Korea-linked group. In a blog post published on May 30, the crypto exchange detailed how an employee was approached via LinkedIn under the guise of a Web3 NFT collaboration. The attacker tried to lure the target into running a GitHub project containing malicious code on their computer, a tactic the firm says has become a hallmar...
Mounting cases
Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.
The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities.
The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns.
Radiant Capital Says DPRK Actor Posed as Ex-Contractor to Pull Off $50 Million Hack
Hackers from the Democratic People’s Republic of Korea (DPRK)—commonly known as North Korea—are responsible for the recent Radiant Capital hack, the firm claims. In mid-October, decentralized finance (DeFi) protocol Radiant Capital lost about $50 million to what the team described as “one of the most sophisticated hacks ever recorded in DeFi.” Now, in a more recent update, Radiant Capital’s contracted cybersecurity firm Mandiant “assesses with high confidence that this attack is attributable to...
The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as "quickcamfix.online" and "autodriverfix online," according to the report.
A joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple cryptocurrency heists in 2024.
In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers.
Similarly, crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews.
Edited by Sebastian Sinclair
Daily Debrief Newsletter
